Sub-logarithmic Distributed Oblivious RAM with Small Block Size

Oblivious RAM (ORAM) is a cryptographic primitive that allows a client to securely execute RAM programs over data that is stored in an untrusted server. Distributed Oblivious RAM is a variant of ORAM, where the data is stored in $m>1$ servers. Extensive research over the last few decades have succeeded to reduce the bandwidth overhead of ORAM schemes, both in the single-server and the multi-server setting, from $O(\sqrt{N})$ to $O(1)$. However, all known protocols that achieve a sub-logarithmic overhead either require heavy server-side computation (e.g. homomorphic encryption), or a large block size of at least $\Omega(\log^3 N)$. In this paper, we present a family of distributed ORAM constructions that follow the hierarchical approach of Goldreich and Ostrovsky [GO96]. We enhance known techniques, and develop new ones, to take better advantage of the existence of multiple servers. By plugging efficient known hashing schemes in our constructions, we get the following results: 1. For any $m\geq 2$, we show an $m$-server ORAM scheme with $O(\log N/\log\log N)$ overhead, and block size $\Omega(\log^2 N)$. This scheme is private even against an $(m-1)$-server collusion. 2. A 3-server ORAM construction with $O(\omega(1)\log N/\log\log N)$ overhead and a block size almost logarithmic, i.e. $\Omega(\log^{1+\epsilon}N)$. We also investigate a model where the servers are allowed to perform a linear amount of light local computations, and show that constant overhead is achievable in this model, through a simple four-server ORAM protocol

Homomorphic Secret Sharing for Low Degree Polynomials

Homomorphic secret sharing (HSS) allows $n$ clients to secret-share data to $m$ servers, who can then homomorphically evaluate public functions over the shares. A natural application is outsourced computation over private data. In this work, we present the first plain-model homomorphic secret sharing scheme that supports the evaluation of polynomials with degree higher than 2. Our construction relies on any degree-$k$ (multi-key) homomorphic encryption scheme and can evaluate degree-$\left( (k+1)m -1 \right)$ polynomials, for any polynomial number of inputs $n$ and any sub-logarithmic (in the security parameter) number of servers $m$. At the heart of our work is a series of combinatorial arguments on how a polynomial can be split into several low-degree polynomials over the shares of the inputs, which we believe is of independent interest

On Sums of Locally Testable Affine Invariant Properties

Affine-invariant properties are an abstract class of properties that generalize some central algebraic ones, such as linearity and low-degree-ness, that have been studied extensively in the context of property testing. Affine invariant properties consider functions mapping a big field Fqn to the subfield Fq and include all properties that form an Fq-vector space and are invariant under affine transformations of the domain. Almost all the known locally testable affine-invariant properties have so-called “single-orbit characterizations ” — namely they are specified by a single local constraint on the property, and the “orbit ” of this constraint, i.e., translations of this constraint induced by affine-invariance. Single-orbit characterizations by a local constraint are also known to imply local testability. Despite this prominent role in local testing for affine-invariant properties, single-orbit characterizations are not well-understood. In this work we show that properties with single-orbit characterizations are closed under “summation”. Such a closure does not follow easily from definitions, and our proof uses some of the rich developing theory of affine-invariant properties. To complement this result, we also show that the property of being an n-variate low-degree polynomial over Fq has a singleorbi

Verifiable homomorphic secret sharing

In this paper, we explore the multi-server (i.e., multiple servers are employed to perform computations) and multi-client (i.e., multiple clients outsource joint computations on their joint inputs) scenario that avoids single points of failure and provides higher security and privacy guarantees. More precisely, we introduce the notion of verifiable homomorphic secret sharing (VHSS) for multi-input, that allows n clients to outsource joint computations on their joint inputs to m servers without requiring any communication between the clients or the servers; while providing the verifiable capability to any user to confirm that the final output (rather than each share) is correct. Our contributions are two-fold: (i) we provide a detailed example for casting Shamir’s secret sharing scheme over a finite field F as an n-client, m-server, t-secure perfectly secure, additive HSS scheme for the function f that sums n field elements, and (ii) we propose an instantiation of an n-client, m-server, t-secure computationally secure, multiplicative VHSS scheme for the function f that multiplies n elements under the hardness assumption of the fixed inversion problem in bilinear maps

Efficient Multiparty Protocols via Log-Depth Threshold Formulae

We put forward a new approach for the design of efficient multiparty protocols: 1. Design a protocol π for a small number of parties (say, 3 or 4) which achieves security against a single corrupted party. Such protocols are typically easy to construct, as they may employ techniques that do not scale well with the number of corrupted parties. 2. Recursively compose π with itself to obtain an efficient n-party protocol which achieves security against a constant fraction of corrupted parties. The second step of our approach combines the “player emulation ” technique of Hirt and Maurer (J. Cryptology, 2000) with constructions of logarithmic-depth formulae which compute threshold functions using only constant fan-in threshold gates. Using this approach, we simplify and improve on previous results in cryptography and distributed computing. In particular: • We provide conceptually simple constructions of efficient protocols for Secure Multiparty Computation (MPC) in the presence of an honest majority, as well as broadcast protocols from point-to-point channels and a 2-cast primitive. • We obtain new results on MPC over blackbox groups and other algebraic structures. The above results rely on the following complexity-theoretic contributions, which may be of independent interest

A Note on the Communication Complexity of Multiparty Computation in the Correlated Randomness Model

International audienc